SecureWorks Backs Out of Macbook Demo

SAN DIEGO, Sept. 29 -- I'm blogging from sunny Southern California, where the 8th annual Toorcon security conference is about to get underway. But before its official kick-off, I want to update Security Fix readers about a last-minute development.

David Maynor, the SecureWorks researcher who was set to demonstrate how wireless driver flaws could be used to compromise an Apple Mac laptop, suddenly has been yanked from the ranks of Toorcon presenters.

At around 12:50 p.m. PT, SecureWorks issued the following press release:

"SecureWorks and Apple are working together in conjunction with the CERT Coordination Center on any reported security issues. We will not make any additional public statements regarding work underway until both companies agree, along with CERT/CC, that it is appropriate."

I followed up with SecureWorks spokesperson Elizabeth Clarke and was told via e-mail that "David is not presenting at Toorcon this weekend. Additionally, SecureWorks is not making any additional statements around our work with Apple."

This would have been nice information to have about a week ago when I made reservations to come out here. I was given assurances that Maynor would publicly demonstrate the exploit I saw in person in Las Vegas, wherein he used a Windows laptop to remotely compromise a Macbook by targeting what he said were vulnerabilities in the Mac's wireless device drivers. He demonstrated the flaw publicly in August, but he used an Apple laptop equipped with a third-party wireless card (a step he said he took to give Apple time to look into the vulnerability).

The write-up from Toorcon's page on their conference tracks suggested this talk would have laid all of the controversy to rest:

"Recently we gave a public demonstration of an exploit in a wireless device driver. We thought it was timely, important, but most importantly it was super cool. Since the first details of our demo were reported two camps instantly formed, people who thought the work and research was good and people thought we faked everything and we are horrible people. How could opinions differ go greatly? What is the story behind exactly what happened and more importantly what does this response mean for the security industry as a whole? This presentation won't be a typical as it will cover the complete story, but it will also offer analysis and commentary of public responses while at the same time giving anyone who has a question a chance to have it answered."

When Apple issued patches last week to fix three separate, remotely exploitable flaws in their wireless device drivers, I felt confident that the rest of the world was going to finally have a chance to witness what I saw. But it appears that's remains on hold. I have contacted Apple requesting comments, and I sent Maynor's co-presenter, Johnny "Cache" Ellch, a message to find out whether he might still be coming.

The big, unanswered question in my mind is: Why issue a statement that you're going to let CERT/CC decide if and when you can talk about this if Apple has already released patches to fix the problem they addressed? Apple has said all along that SecureWorks never shared with them any information that would prove that Mac products were exploitable remotely in the manner Ellch and Maynor described (even though the description that accompanied Apple's patches last week indicated that the company concluded that some of its products were remotely exploitable). My suspicion is that CERT/CC won't ever give the go-ahead -- if that is indeed the arrangement -- and that we may never know the whole truth behind this seemingly never-ending saga.

I will update this post if and when I hear back from Apple, Ellch or Maynor. Stay tuned.

Update, 4:29 p.m. PT: I spoke with Ellch, who's here preparing for a seminar he's now giving alone today. He said he had no idea what we could expect tomorrow. Meanwhile, I heard back from Lynn Fox at Apple, who said in an e-mailed statement:

"We are working with SecureWorks, and we're always open to hearing from other security researchers on how to improve security on the Mac. We don't have any further comments."